Need to setup VLAN with Bridged Mode in pFsense 2.7.2

dkthedriftking

Hi

I have been using pFsense on and off since about 10 years now, but since the last 2+ years i have a small dedicated Intel NUC running as my pFsense at my residence.

The hardware specs are as follows
Intel NUC with Celeron N2807, 8GB RAM, 120GB SSD, Gigabit onboard ethernet (connected to WAN bridged mode) along with TP-Link UE306 (usb to Gigabit ethernet connected to LAN) connected on USB 3.0 port, BIOS upto date, pFsense version 2.7.2.

Since my hardware had just 1 GIGABIT ethernet port, i had to resort to using a USB Ethernet hardware running on AX88179 chip which was running fine for about 6 months, but since off late when i had to do a reinstall of pfsense on the machine, my USB GIGABIT dongle crashes religiously every 36-48 hours and forces me to hard reboot the machine.

What i want is stability of the entire setup but cannot change the machine, so what i have come to understand is to setup my pfsense in bridged mode only but using the VLAN methodology.

In simpler terms, what i want is

ISP Router connects to PFSENSE in Bridged Mode via the onboard GIGABIT PORT of the Intel NUC and the same onboard GIGABIT PORT is connected to my 24port GIGABIT SWITCH and then that switch is connected to my MESH and other peripherals/devices.

The 24 port GIGABIT SWITCH that i have does not support VLAN, so i can consider purchasing a small 4/5PORT GIGABIT SWITCH which supports VLAN and gets me up and running with miniscule to no failure.

Kindly help me thru, consider me an absolute NOOB in terms of VLAN.

MUCH THANKS AND REGARDS IN ADVANCE.
BugsBunny

Gblenn

@dkthedriftking Yes what you are looking for is absolutely doable.

So the managed switch could be set up like this:

Port 1 - Connected to WAN (modem) - set to Untagged VLAN ID 10
Port 2 - Connected to NUC - set to TAGGED VLAN ID 10 and 20
Port 3 - Connected to 24p switch - Untagged VLAN ID 20

In pfsense you need to create two VLAN's on igb0 or whatever it's called. VLAN ID 10 and VLAN ID 20 and assign WAN to ID 10 and LAN to ID 20.

What modem/router is it that you have from the ISP? You may have to go into the UI and make sure it does not hand out the IP to the switch MAC, instead of pfsense MAC...

dkthedriftking

@Gblenn Wow! Thanks alot, you really simplified it for me to execute this.

Now before I move forward, let me tell you how the entire setup will be once executed as per your recommendation.

1. ISP Router (Nokia FTTH routegr) to Managed switch (Port1)

2. Managed Switch (Port2) to PFSense hardware (Gigabyte NUC with onboard Realtek Gigabit NIC) (PPPoE Bridged Mode, as in PFSense hardware dials to the ISP)

PFSense hardware is what gets the public IP from the ISP and PFSense hardware is what works as the DHCP server along with AdGuard server for the entire local network.

3. Managed Switch (Port3) to existing 24Port Gigabit Switch which connects to the existing local network.

All the above configuration/connections will require setting of VLANs as per your recommendation on the Managed Switch and PFSense hardware level.

Also, The managed switches that I'm considering are SG105E or SG108E, both TP-Link brand; let me know which I should go for.

Now whilst I'm revamping the setup, I have another question hopefully which will get resolved too with the help from you and/or other members on here.

I have another NUC which is running Windows 11 and is on the verge of running Nextcloud for my own private cloud.

To achieve that I have come to understand that I will need a third party service like duckdns or dynudns or no-ip since getting a static IP is out of question.

I believe I have fairly decent knowledge of port forwarding but all that has went down the drain while doing so on PFSense even when I have setup everything like it should be if the port forward is to happen on the ISPs router where no PFSense is involved.

Would be great if you can help me on that too and should you need any information from me to help troubleshoot the same then do let me know.

Much thanks and regards.

Gblenn

@dkthedriftking So when running NextCloud you want to make sure you have a secure connection and one good way of handling that is using HAProxy in pfsense. Or run a separate instance of e.g. Nginx Proxy manager.
Get your duckdns, dynu or whichever one you like. What you then need to do is the following, in principle.

1. Set up Dynamic DNS under Services in pfsense. So that pfsense can monitor and keep it updated pointing at your IP
   Duckdns provide really good instructions of how to set it up, once you have created a first domain name. Click install in the menu and select pfsense... and follow the instructions
2. Set up NextCloud and set it to allow your nextcloud.duckdns.org FQDN and the IP of pfsense (needs to be set in the config)
3. Set up HAProxy to use HTTPS, get a certificate for your nexctloud.duckdns.org and point to the IP of your NextCloud server.
4. Go into System > Advanced under Firewall & NAT and enable NAT Reflection and Pure NAT.

Now you can use nextcloud.duckdns.org on your PC from behind pfsense, as well as from phones and other devices when external.

dkthedriftking

@Gblenn

Much thanks, again; BUT, what you explained in principle sounds simple but im in the blind, AGAIN!

My DuckDNS is already set in my pfsense, have tried opening entire traffic from WAN to all ports on the said NextCloud Machine but its still unsuccessful.

PFA some screenshots for your reference as to what all i have tried till now and guide me further.

edit: public IPs snipped by mod (johnpoz)

Gblenn

@dkthedriftking said in Need to setup VLAN with Bridged Mode in pFsense 2.7.2:

Much thanks, again; BUT, what you explained in principle sounds simple but im in the blind, AGAIN!

My DuckDNS is already set in my pfsense, have tried opening entire traffic from WAN to all ports on the said NextCloud Machine but its still unsuccessful.

Oh, please don't do that... port 443 only! Remove that rule asap, you have essentially put the server on the internet.
AND, I think it's probably better to use HAProxy to handle the certificates for you. And in that case, you don't open 443 towards NextCloud, but HAProxy instead (and port 80 used during certificate setup).

However, nothing of this will work until you have set NextCloud to accept communication from pfsense IP, as well as the domain name you hae from DuckDNS. I'm assuming you can access NextCloud locally though?

I do agree, things may look simple in principle, but still not that simple to implement...

johnpoz

@dkthedriftking your port is open - but your sending gibberish on that IP, not a ssl cert - you sure you want your public IP exposed on the forum - your screenshot lists your public IP - would you like me to edit that..

You just get back this
"eac7aade88daff9311cdd8fcf9577f4af7477f7c2d4e899a "

Gblenn

@johnpoz said in Need to setup VLAN with Bridged Mode in pFsense 2.7.2:

would you like me to edit that..

Considering the fw rules in place, if you can redact the IP, it's a good thing to do...

johnpoz

@Gblenn agree - done.

So seems there is a local cert for nextcloud.local, but its listening on port 8080

@dkthedriftking I would as suggested by @Gblenn shutdown that all ports forward.. And look to correct your https issues..

Using a selfsigned cert can work - but its going to be problematic if you want anyone other than yourself to use it because they are not going to trust the cert and get a warning.

You prob want to look into using acme (lets encrypt) to get a valid cert for whatever the fqdn that points to your public IP via your ddns entries.

Gblenn

@johnpoz Yes, I noticed that as well, so clearly things are working fine with NC and port forwards.

You prob want to look into using acme (lets encrypt) to get a valid cert for whatever the fqdn that points to your public IP via your ddns entries.

@dkthedriftking
So take a look at HAProxy and try to set it up so that you secure your setup with a real signed certificate. Alternatively, perhaps depending on how you installed NextCloud on that machine... is it virtualized? You could install Nginx Proxy Manager which it likely even simpler to set up for this purpose, and other future servers.